cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sentinel went missing yesterday

TheHoff70
Brass Contributor

‎Nov 08 2022 02:50 AM - edited ‎Nov 08 2022 04:21 AM

‎Nov 08 2022 02:50 AM - edited ‎Nov 08 2022 04:21 AM

Sentinel went missing yesterday

Greetings

I few weeks ago a set up a fresh Log Analytics workspace and purchased Sentinel for it. Both are set up as PayGo for now. Yesterday when I came to work I was greeted by the error message "Workspace (my workspace) not found or does not have Microsoft Sentinel. Please select a different workspace and try again". The left menus of Sentinel are visible and I can access the logs in the workspace just fine byt Sentinel is gone. The error summary doesn't give me any further information like error codes and so on.

Kind'a hard when I just spent the most part of a week setting up all the data connectors and analytic templates.

Anyone have any ideas?

 

/Fredrik

Labels:
2,777 Views
0 Likes
8 Replies
Reply
8 Replies
Rod_Trent

‎Nov 08 2022 04:19 AM

‎Nov 08 2022 04:19 AM

Re: Sentinel went missing yesterday

Still like that today? Does anyone else have delete access to that resource group?

I assume by OMS, you mean a Log Analytics workspace.
0 Likes
Reply
TheHoff70

‎Nov 08 2022 04:23 AM - edited ‎Nov 08 2022 04:28 AM

‎Nov 08 2022 04:23 AM - edited ‎Nov 08 2022 04:28 AM

Re: Sentinel went missing yesterday

Correct, that should all be Log Analytics workspace. I'm looking for the Azure Activity logs as we speak but I doubt someone could have deletede the Sentinel Instance by mistake. Also Sentinel is still visible for the workspace if I go to Azure-Resources-Sentinel.

Update: There is no delete event in the Azure monitor logs for the Sentinel instance but a health event for this Saturday with the title "More than 1 hour latency" but it's shown as resolved



/Fredrik

0 Likes
Reply
Rod_Trent

‎Nov 08 2022 04:50 AM

‎Nov 08 2022 04:50 AM

Re: Sentinel went missing yesterday

If you haven't already, you will need to open a ticket for this one.

Happy to track it in the system if you need that. You can send me a private message here on Techcommunity.
0 Likes
Reply
TheHoff70

‎Nov 08 2022 05:04 AM

‎Nov 08 2022 05:04 AM

Re: Sentinel went missing yesterday

I appreciate that. Thing is our Azure subscription is handled through a partner and they are sometimes slow to respond, but a case hase been registered with them.
0 Likes
Reply
TheHoff70

‎Nov 08 2022 08:40 AM - edited ‎Nov 10 2022 04:21 AM

‎Nov 08 2022 08:40 AM - edited ‎Nov 10 2022 04:21 AM

Re: Sentinel went missing yesterday

Hi
The partner just came back with the Microsoft ticket 2211100050001204 I don't know if that means anything to you.

1 Like
Reply
TheHoff70

‎Nov 08 2022 10:01 PM

‎Nov 08 2022 10:01 PM

Re: Sentinel went missing yesterday

The Sentinel is still unavailable.
To add to the confusion the logic behind Sentinel seems to be running still because the SecurityAlert table in the LA Workspace is getting new entries according to my analytics rules.
0 Likes
Reply
tommihovi

‎Nov 09 2022 12:08 PM

‎Nov 09 2022 12:08 PM

Re: Sentinel went missing yesterday

@TheHoff70 I'm (my customer is) having this "Workplace not found" issue also.

I'm not sure if this is related or this is some other 'bug' but all the documentation states that in order to modify connector configuration for Azure Active Directory one would need either Global Admin or Security Admin role. Well, I have the latter activated via PIM. Sentinel still gives me a red cross over the "Diagnostic Settings: read and write permissions to AAD diagnostic settings." Sure enough, when I navigate to AAD diagnostics settings, I can't access. Okay, what AAD role does have access to the 'microsoft.aadiam/diagnosticsSettingsCategories/read" action? Turns out I can't find any from this list: Azure AD built-in roles - Azure Active Directory - Microsoft Entra | Microsoft Learn. What am I missing here? I've operated with GA role in other tenants and at least in the past that role could pretty much do anything, set the AAD diagnostics even. The customer tried this with his Global Admin role and nope. Couldn't modify the connector configuration, got the same red cross for the diagnostics settings as I did. I'm getting worried.

0 Likes
Reply
TheHoff70

‎Dec 21 2022 10:27 PM

‎Dec 21 2022 10:27 PM

Re: Sentinel went missing yesterday

Hi everyone
More than a month went by where Microsoft sent me the odd request for additional screenshots or some checkup from our Azure portal. No clear theory emereged but I finally got the suggestion to recreate the Sentinel to the original LA workspace. That worked and after a while all my data connectors and custom analytic rules reappeared. Microsoft reassured me this wouldn't happen again, but it has once, and cost me a month without "my" SIEM which I had grown very fond of.
Case closed is seems

/Fredrik
0 Likes
Reply